pcap_dns_analysis
Extract and analyze DNS queries from PCAP files to identify query patterns, DNS servers, and IPv6 endpoints for network forensics and security testing.
Instructions
Extract and analyze DNS queries from a PCAP. Returns dns_queries_by_frequency, dns_servers, and ipv6_dns_endpoints. Read-only file analysis.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| pcap_path | Yes | Path to the PCAP file | |
| source_ip | No | Filter DNS queries from a specific source IP |
Implementation Reference
- src/tools/pcap.ts:113-151 (handler)The implementation of the pcap_dns_analysis tool, which extracts and analyzes DNS queries from a PCAP file using tshark commands.
"pcap_dns_analysis", "Extract and analyze DNS queries from a PCAP. Returns dns_queries_by_frequency, dns_servers, and ipv6_dns_endpoints. Read-only file analysis.", { pcap_path: z.string().describe("Path to the PCAP file"), source_ip: z .string() .optional() .describe("Filter DNS queries from a specific source IP"), }, async ({ pcap_path, source_ip }) => { requireTool("tshark"); const pcap = validatePcap(pcap_path); let filterExpr = "dns.flags.response == 0"; if (source_ip) { filterExpr += ` && ip.src == ${source_ip}`; } const queries = await runShell( `tshark -r '${pcap}' -Y '${filterExpr}' -T fields -e dns.qry.name 2>/dev/null | sort | uniq -c | sort -rn | head -100` ); const dnsServers = await runShell( `tshark -r '${pcap}' -Y 'dns.flags.response == 0' -T fields -e ip.dst 2>/dev/null | sort -u` ); const ipv6Dns = await runShell( `tshark -r '${pcap}' -Y 'dns && ipv6' -T fields -e ipv6.dst -e ipv6.src 2>/dev/null | sort -u | head -20` ); const result = { dns_queries_by_frequency: queries.stdout.slice(0, 3000), dns_servers: parseLines(dnsServers.stdout), ipv6_dns_endpoints: parseLines(ipv6Dns.stdout), }; return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] }; } );